Home

Description

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-06 | Updated 2026-05-07 | Assigner VulnCheck




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-1188 Initialization of a Resource with an Insecure Default

Product status

Default status
unaffected

Any version before 2026.4.15
affected

2026.4.15 (semver)
unaffected

Credits

dhyabi2 reporter

References

github.com/...enclaw/security/advisories/GHSA-xh72-v6v9-mwhc (GitHub Security Advisory (GHSA-xh72-v6v9-mwhc)) vendor-advisory

github.com/...ommit/c8003f1b33ed2924be5f62131bd28742c5a41aae (Patch Commit) patch

www.vulncheck.com/...ishu-webhook-and-card-action-validation (VulnCheck Advisory: OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation) third-party-advisory

cve.org (CVE-2026-44109)

nvd.nist.gov (CVE-2026-44109)

Download JSON